Scan a repo for secrets and encrypt/decrypt them in-place.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mortaccio from gravatar.com mortaccio

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT License)
  • Author: Superencrypt Contributors
  • Tags secrets , encryption , git , security , cli
  • Requires: Python >=3.10
Classifiers
Report project as malware

Project description

superencrypt

https://pypi.org/project/superencryptx/

CLI to scan a repo for secrets (including env files, Dockerfiles, compose files, and YAML/TOML/JSON/INI-style configs), encrypt them in-place, and decrypt them later using a key.

Why

superencrypt helps you keep accidental secrets out of your repo history by encrypting sensitive values in-place while keeping files versionable.

Install

pip install superencryptx

uv (recommended)

uv tool install superencryptx

No venv (recommended)

pipx install superencryptx

System install (no venv)

python3 -m pip install --user superencryptx

Quick start

# Encrypt in-place (generates a key, prints it, and writes .superencrypt.key)
superencrypt encrypt

# Decrypt in-place (use in CI/CD pipelines)
superencrypt decrypt --key-file .superencrypt.key

Usage

# Show help
superencrypt --help

# Encrypt in-place (generates a key, prints it, and writes .superencrypt.key)
superencrypt encrypt

# Decrypt in-place (provide key or key file)
superencrypt decrypt --key-file .superencrypt.key

# Scan only (no changes)
superencrypt scan

# Scan output formats
superencrypt scan --table
superencrypt scan --json

# Scan a single file
superencrypt scan --file path/to/file

# Encrypt/decrypt a single file
superencrypt encrypt --file path/to/file
superencrypt decrypt --file path/to/file --key-file .superencrypt.key

Pipeline example

export SUPERENCRYPT_KEY="$(cat .superencrypt.key)"
superencrypt decrypt --key "$SUPERENCRYPT_KEY"

Key file usage

# Generate a key and write .superencrypt.key
superencrypt encrypt

# Use the key file to decrypt
superencrypt decrypt --key-file .superencrypt.key

# Load key into env and decrypt (CI/CD friendly)
export SUPERENCRYPT_KEY="$(cat .superencrypt.key)"
superencrypt decrypt --key "$SUPERENCRYPT_KEY"

Limitations

  • superencrypt uses pattern and heuristic matching. It focuses on raw literal values and may miss secrets that are:
    • Generated or templated at runtime.
    • Pulled from variables, references, or function calls.
    • Hidden inside custom formats or encrypted blobs.
  • Always use defense-in-depth (secret managers, least privilege, CI checks).

Recognized Tokens

  • AWS access keys and session tokens
  • GitHub tokens (ghp_, gho_, ghs_, ghu_, github_pat_)
  • Slack tokens (xoxb-, xoxp-, xoxa-, xoxr-, xoxs-)
  • Azure storage connection strings and SAS tokens
  • GCP API keys (AIza...) and OAuth tokens (ya29...)
  • JWTs
  • Database connection strings with embedded credentials
  • PEM private key headers (BEGIN ... PRIVATE KEY)

Notes

  • Encrypted values are stored as ENC[<token>].
  • Key file .superencrypt.key should be protected and not committed.
  • Use scan first to review matches.

Development

https://pypi.org/project/superencryptx/

python -m venv .venv
source .venv/bin/activate
pip install -e .

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mortaccio from gravatar.com mortaccio

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT License)
  • Author: Superencrypt Contributors
  • Tags secrets , encryption , git , security , cli
  • Requires: Python >=3.10
Classifiers

Release history Release notifications | RSS feed

This version

0.1.2

0.1.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

superencryptx-0.1.2.tar.gz (11.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

superencryptx-0.1.2-py3-none-any.whl (11.6 kB view details)

Uploaded Python 3

File details

Details for the file superencryptx-0.1.2.tar.gz.

File metadata

  • Download URL: superencryptx-0.1.2.tar.gz
  • Upload date:
  • Size: 11.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.2

File hashes

Hashes for superencryptx-0.1.2.tar.gz
Algorithm Hash digest
SHA256 d95411d3c6c69a0cf1e9a94f3741f3420d51b540d90c3a56abfb880f3c56d140
MD5 66bc99581e1bb55e1ecba3adf249ab69
BLAKE2b-256 2272df973c7a38c24034d04cf4b7190edb5c964c3cb4324ae1abed9f1dc90af6

See more details on using hashes here.

File details

Details for the file superencryptx-0.1.2-py3-none-any.whl.

File metadata

  • Download URL: superencryptx-0.1.2-py3-none-any.whl
  • Upload date:
  • Size: 11.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.2

File hashes

Hashes for superencryptx-0.1.2-py3-none-any.whl
Algorithm Hash digest
SHA256 780edd3dd637bff26f8837b192bf51010af9e623c8d708442bab78701a048fb3
MD5 c14689f9604b5c65f018e2bd876ea017
BLAKE2b-256 f378e9f0df6d28252617041577912ccf649c6b19ea4cafe8e8a9ec6a90d9dab4

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page